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f~>) , Abstract 

In this note, we go further on the "basis exchange" idea presented in 
[2] by using Mobious inversion. We show that the matrix Si{f)So{f)~^ 
has a nice form when / is chosen to be the majority function, where Si (/) 
is the matrix with row vectors Vk{a) for all a G 1/ and So{f) = 5i(/ © 1). 
QQ ■ And an exact counting for Boolean functions with maximum algebraic 

immunity by exchanging one point in on-set with one point in off-set of the 
majority function is given. Furthermore, we present a necessary condition 
according to weight distribution for Boolean functions to achieve algebraic 
immunity not less than a given number. 
. Index Terms-algebraic attacks, algebraic degree, algebraic immunity, 

' Boolean functions. 

o 

1 Introduction 

> 

' Let be the finite field with only two elements. To prevent confusion with the 

I usual sum, the sum over J-2 is denoted by ©. The Hamming weight of a vector 

OO ' a = (ai, . . . , a„) is defined by wt(Q;) = '^i- 

CO I A Boolean function on n variables may be viewed as a mapping from J-2 into 

' 7^2- We denote by S„ the set of all n- variable Boolean functions. The Hamming 

weight wt(/) is the size of the support supp(/) — {x G T2 \ fix) = 1}. The 
support of / is also called the on set of /, which is denoted by 1/. On the 
contrary, the off set of / is the set {x G J"^ | f{x) = 0}, which is denoted by 0/. 
Any f £ Bn can be uniquely represented as 



o 



X 



f{xi,X2,...,Xn)^ CaJ|a;""= CaX", (1) 

This kind of expression of / is called the Algebraic Normal Form(ANF). The 
algebraic degree of / is the number of variables in the highest order term with 
nonzero coefficient, which is denoted by deg(/). 

For /, g G Bn and 5 7^ 0, g is called an annihilator of / if / • g = 0. The 
algebraic immunity(AI) [8 of / is defined to be the minimum degree of an 
annihilator of / or It's proved [3] that the algebraic immunity of functions 

in Bn is upper bounded by [^] . 
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A majority function / in i32fe-i or B2k is defined as 



/(«) 



( 



0, wt(a) < k, 

1, wt{a) > k. 



It's well-known that AI{f) — k, which achieves the maximum. 

In linear space we define a partial order as follows. For a, (3 G F2 , 
a = (ai, . . . , an) and (3 = . . . , /3„), a ^ /3 if and only if < f3i for all 1 < 
i < n. Similarly, for two nonnegative integers a and b with binary representation 
(a„, . . . , 00)2, {bm ■ ■ ■ , ^0)2 respectively, we define a ^ 6 if and only if < hi 
holds for all < i < n. Furthermore, we define a Ab — {anbn, ■ ■ ■ ,aobo). In 
other words, a A 6 is the common greatest lower bound over a lattice induced 
by partial order on integers. 

Throughout this paper, we use we use (^) to denote the binomial coefhcient 
and [^] to denote its module 2, i.e., [^] could be viewed as the value of (J^) 
over J-2. 

It's easy to prove that [^] = 1 if and only if m ^ n. And equation 



holds if positive integer g is a power of 2. 

For any matrix ^ G J^2(" x in), denote by the transpose of A. Denote 



the submatrix consisting of the iith, i2th, . . ., ipth rows and the jith, j2th, 
. . ., jqth columns of A and the submatrix consisting of the j'lth, j2th, • ■ iqth 
columns of A. We use A{i,j) for the (i, j) element of the matrix A. Sometimes 
the rows and columns of a matrix are indexed by vectors. Sometimes the rows 
and columns are indexed by integers starting from 1. 
Following is a lemma which will be used in the sequel. 

Lemma 1.1. Let S be an n-set. Let V be the 2"^ -dimensional vector space 
(over some field JC) of all functions: 2^ »— s- IC. Let : V ^-^ V be the linear 
transformation defined by 



Iki 



n 



[^J n mod q 
[—J m mod q 



by 



A{ii,i2, ■ . ■,ip;ji,j2, ■ ■ -Jq) and ^(ji,j2, • . . ,jq) 



^f{T)= fiY)Jor allTCS. 



YDT 



Then (j> ^ exists and is given by 



r'l{T) = (-l)l^-^l/(r),/or all TCS. 



YDT 



2 Main Results 



We adopt the notation in [2]. For convenience, let d{n,k) — J2i=o {!)■ Given 
k<\^] , for a G T^, let 



Vk{a) = (1, ai, . . . , a„, aiQ;2, . . . , a„_ia„, . . . , 
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-j-d(n,fc) 

ai • • • ttfe, • ■ • ,ar!-fc+i • • • On) e >2 
and 5*1 (/) be the matrix with row vectors Vk{a) for ah a £ 1/ and >S'o(/) be 
the matrix with row vectors Vk{(3) for all (3 G 0/. Here, row vectors are firstly 
ordered by their weight, secondly by lexicographical order. It's well known that 
/ has algebraic immunity greater than k if and only if both row vectors in Si (/) 

and those So{f) are two generating sets of JT^'-"''^''. 
Rewrite Vk{a), a € as follows. 



Vk 



6/3, 



(2) 



wt{j3)<k 



where ep is a vector in jr^f"'*^) with one position 1 and the remainings and 



e^i 7^ 6/32 if Pi 7^ 1^2- Thus {ep \ wt(/3) < k} forms a basis of J^2 



■d(n^k) 



Using 



Mobious inversion, i.e., applying Lemma 11.11 with K, = J-2 and vector a G J- 2 
corresponding to a subset Uq =o{'*»} '^^ n-set S — {si, S2, • ■ • , Sn}, we have 



6/3 



=e(-i) 



wt(,3)-wt(a) 



a^/3 



(3) 



for wt(/3) < /c. Substituting ([3]) to © for those a with weight greater than fc, 
we have 



Vk{a) 





wt(^)<fc 



6/3 



0-^-(7) 



/3^a 7^/3 
wt(/3)<fc 



-^-(7) 1 



wt(7)<A; 





wt(7)<fc 



wt(7)<fc 



7:^/3:^Q / 
wt(,3)<fc 

k 

Ml) 

wt(^)=wt(7) 



wt(a) 
wt(/3) 



- wt(7) 

- wt(7) 



wt(Q!) 
k- 



' wt(7) 
wt(7) 



Wfc(7)- 



(4) 



The last step is valid, since [q] ® ["] ® • ' • ® [m] = ["m^] ^0^^^ fo'' " > 1, 
TO > 0, which can be easily proved by induction. Therefore, all Vk{a),a g 
can be explicitly represented as linear combinations of vectors Vk (a), wt(a) < k, 
which form a basis of JT^*-"''^''. 

Denote by Sn^k the 2" x d{n, k) matrix of which each row consists of the 
coefficients of the vector Vk{a) represented in basis {vk{f3) \ wt(/3) < fc}. If 
the rows of Sn.k are indexed by all vectors in J-^ and the columns indexed by 
vectors with weight < fc, then 

5„,fc(a,/3) (5) 

1, wt(a) < k and a = /?, 
1, wt(a) > k, P < a 



0, 



and 
otherwise. 



■wt(a] 
k- 



-wt(/3)- 
-wt(/3) 



1, 



3 



Mg.o Ms,! M8,2 M8.3 
Mg,! M9,3 

Afio,2 Mio,3 
Mii,3 


M8,4 M8,5 
M9,5 


M8,6 


M8,7 \ 





Mg,7 





Ml0,5 Mio,7 

Mii,7 





Mi2,4 Mi2,5 A/l2,6 Mi2,7 
Mi3,5 Mi3,7 

Mi4,6 Miij 

' Mi5^7 / 



Sometimes, it's suitable to write Sn,k into partitioned matrices. Assume both 
row and column index vectors of Sn,k are firstly ordered by their weight, secondly 

by lexicographical order. Then Snk = { ^1*;"''^^ ) and T„ ^ £ T2(d(n,n — 

k) X d{n, k)) is partitioned into (n — k) x (k + 1) submatrices, that is Tn^k — 

iTij)(n-k)x{k+i) and Tjj = lZ]^\ Mi+kj-i- Here Mij{n) represents the (") 

by (") matrix of O's and I's whose rows are indexed by i-subsets / of an n-set 
X, whose columns are indexed by the j'-subsets J of the same set X, and where 
the entry Mij (/, J) in row / and column J is 1 if / 3 J and is otherwise [4] . 

Theorem 2.1. The number of Boolean functions f in Bn with algebraic im- 
munity fc + 1 < [^] and \lf\ ~ d{n,k) equals the number of invertible sub- 
matrices in Tn.k — {Tij)(n-k)x(k+i) ^ J-2{d{n,n — fc) x d{n,k)), where Tij = 

Specifically, when n = 2fc + 1, the number of Boolean functions achieving 
maximum algebraic immunity is the number of invertible submatrices in Tn^k- 



Proof. Since Sn,k — {Id{n,k),Tn,k)'^ , any set of d{n, fc) linearly independent rows 
in Sn,k corresponds to an invertible matrix in T„,fe [2], which means the number 
of Boolean functions having no annihilators with degree < fc. 

On the other hand, assume there exists g G Bn such that (/ + l)g = and 
< deg(g) < fc, which implies 1/ ^ Ig. Taking an arbitrary /3 £ Ig, define 
If — lf/{(3}. Since < — d{n,k), by solving linear equations 
on d{n, fc) variables, we know there exists ^ h G Bn such that deg{h) < fc 
and f'h = 0, i.e, 1/ C 0,^ U {(3}. Combining Ig C 1^ C 0^ U {/?}, we have 
l/i n Ig — {/?}, i.e., kg takes 1 only at one point /3, which is contradicted to 
deg{hg) < deg{h) + deg{g) < 2k < n. Therefore, / + 1 also has no annihilator 
with degree fc or less. 

When n = 2fc + 1, only balanced Boolean function can achieve maximum 
algebraic immunity [?], and thus the other part is proved. □ 

Example 2.2. Let n = 15,fc = 7. If f is the majority function in Bn, then 
'S'i(/)S'o(/)~^ = Tn,k, which is 

After knowing the explicit form of Sn,k, some counting results concerning 
algebraic immunity can be improved, such as the number of Boolean functions 
with maximum algebraic immunity in odd variables, which is proved to be not 
less than 2^""' g]. 
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One possible way of counting or constructing all Boolean functions with 
maximum AI is to exchange some points in on-set with some in off-set of the 
majority function. With the explicit form of Sn,k, the following theorem con- 
cerns a simple situation that exchanging one point in If with another in 0/, 
where / is the majority function in odd number of variables. 



Theorem 2.3. There are exactly 

Oh -^ \ 

(6) 



E 

jAj=0 
0<i,j<fe-l 



2k - 1 

i+ j + 1 k — i — 1 k — j — 1 



Boolean functions in B2k-i achieving maximum algebraic immunity by exchang- 
ing one point in If with one point inOf, where f is the majority function in 

Proof. It's clear that the number of such Boolean functions equals the number 
of the invertible one by one matrix, i.e., the number of I's, in Si{f)So{f)~^ = 
72fc-i,fc-i, where / is the majority function. Thus, let's count the number of 

I's in the matrix T2k-i.k-i- Firstly, the number of I's in an arbitrary row in 
matrix Mij is (*), and thus there are number of I's in Mi,j. 



Since = Wi+fe_ij_i(n) if ' = 1, which is equivalent to (/c — j) ^ 

{i — j + k — 1), the total number of I's in T2k~i,k-i is 



E 



{k-3)<{i-j+k-l) 
l<i,j<k 



2k -1 \ A + fc - 1 
l + k-l)[ J-1 



Replacing j in above equation hy k — j and replacing i hy i + 1, we have 



y-. f2k~\\ f i + k 



0<i,j<k-l 



E 



a<i,j<k-l 



i + k J \k — 1 — j 
2k -1 

i+ j + 1 k — i — 1 k — j — 1 



Noting that j ^ (« + j) is equivalent to i A j = 0, and the proof is complete. □ 

Wc can obtain similar counting result in even number of variables using the 
same method, of which the proof is omitted here. 



Theorem 2.4. There are exactly 

z-|-j-|-l k — i k — j — 1 



E ( j _i_ 1 _i_ 1 fc _ _ 1- _ 1 ) 



0<i<k 
0<j<k-l 



Boolean functions in B2k achieving maximum algebraic immunity by exchanging 
one point in If with one point inOf, where f is the majority function in B2k- 
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Due to the nice structure of Sn,k, a necessary condition only concerning the 
weight distribution of on-set and off-set for a Boolean function to achieve high 
algebraic immunity can be obtained. 

Theorem 2.5. Let f E Bn be a Boolean function having no annihilator with 
degree < k. Then for any integers < Wi < W2 < ■ • • < Wm < k, m > \, we 
have 

tt{a G 1/ I wt(a) = Wi or 

k — Wi ^ wt{a) — Wi — 1,1 < i < m} 



> 



Proof. Using {vk{a) \ wt{a) < A;} as a basis in jr^^"'*^) instead of {e^? | wt(/3) < 
k} to represent Vk{a), a G J-2- And thus the 2" x d{n,k) coefhcient matrix is 
Sn,k, which has an explicit form ([5]). 

Since / has no annihilators with degree < k, then there exists d{n, k) vec- 
tors in 1/, say ai, . . .,ad(n,k), such that Vk{ai), . . . , f fe(ad(„,fe)) are linearly in- 
dependent, i.e., they form a basis of J-1^^^'^\ Taking the corresponding rows 
in matrix Sn.k, we obtain a square matrix with full rank S'^ ^. Denote the in- 
dexes of the columns in S'^ corresponding to the vectors with weight equals 
some Wi by ji , . . . , ( " ) • Since 5*,^ f. has full rank, there exists integers 

ii, . . . such that ^^^^(ii, . . . , i^,„ ^ -j; ji, . . . , j^™ ^ -j) also has 

full rank, which implies in which there are no all-zero rows in this submatrix. 
Thus there are at least X^IIli (J^) vectors in If corresponding to nonzero rows 
in Sn,kiji,- ■ ■ Jj2T=i i^.)^' 

Now, let's count the vectors in 1^ corresponding to nonzero rows in subma- 
trix Sn,k{ii, ■ ■ ■ li^™ ( " "^'^'^ording to (0]), row a is nonzero if and only if 

wt(a) = Wi or 



vjt{a) — Wi — 1 
k—Wi 



1 for some Wi. Therefore, there are 



jl{ a G 1/ I wt(a) — Wi or 

k — Wi < wt{a) — Wi — 1,1 < i < m} 

nonzero rows, which should be not less than X]"=i iw)- '— ' 

Applying the last theorem to both / and / + 1, we have the following corol- 
lary. 

Corollary 2.6. Let f G Bn with algebraic immunity greater than k. Then for 
any integers < Wi < W2 < ■ ■ ■ < Wm ^ k, m > 1, letting L — [J^^i{wi} and 
J — Ui!li{^ + l<w<n\k — Wi^w~Wi — 1}, we have 

<tt{"el/l«'<")e^UJ}<^(^). (9) 

Here comes a question that is how to choose m numbers wi,W2, ■ ■ ■ , Wm to 
obtain a relatively strong necessary condition for algebraic immunity greater 
than k. Intuitively, the ratio of J2iej ('0 ^^d J2iei (^) should be close to 1. 
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w—i—1 
k — i 



Let C{i) = {k + l<w<n 

C{k-i) D C(fc-i-p-2ri°S2(»+i)l) 

for p G N. To prove ((TO)) . it's sufficient to show 

w — (fc — i) — 1 

k-ik-i) 
'w- {k-i-p-2^^°<i2 



f }, where < i < fc. We claim 



(10) 



which is equivalent to 



'w'' 






> 


i 





where w' 



w - 



k + i. If 



i+p - 2ri°S2 (^+1)1 
1, it's obvious. If 



0, then 



< 



w' + p- 2ri°s2 

i + p ■ 2ri°g2 
w' mod 2r'°S2(*+i)l 
i mod 2ri°S2 

w' mod 2ri°S2(*+i)l 
i mod 2ri°S2 
w' mod 2r'°g2(»+i)l 
i 



< 



0. 



Therefore, if number i is taken as one of wi,W2, 
i-p. 2ri°g2 , p = 1, 2, . . . , as wen. 



it's wise to take numbers 



Example 2.7. According to (|10p . iwe use t/ie following strategy to choose Wi 's 
step by step. First, choosing k ~ 1 ~ 2p, p — 0, 1, . . we obtain a necessary 
condition. Secondly, adding k—2 — 2^p, p = 0,1, . . ., we obtain another necessary 
condition. In the step t, adding k — 2*^^ — 2*p, p — 0, 1, . . ., we can obtain 
a necessary condition. It's worth noticing that {k — 2*^^ — 2*p | p S N}, t — 
1, 2, . . . , [log2 k\+l is a decomposition of {0, 1, . . . , fc — 1}, i.e., they are pairwise 
unintersected and their union is {0, 1, . . . , fc — 1}. We demonstrate this strategy 
for n = 15, k = 7 as follows. 

• Let m — 4, wi — 6,W2 — 4, W3 ~ 2, W4 — 0. Thus I = {0,2,4,6}, 
J — {8, 10, 12, 14} and the necessary condition is 

6476 < tt{a e 1/ I wt{a) G / U J} < 9908. 

• Let m = 6, adding W5 — 5, wq = 1. Thus I — {0,1,2,4,5,6}, J — 
(8, 9, 10, 12, 13, 14} and the necessary condition is 



9494 < tt{a G 1/ I wt{a) G / U J} < 15018. 
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• Letm = 7, adding = 3. Thus I = {0, 1, 2, 3, 4, 5, 6}, J = {8, 9, 10, 11, 12, 13, 14} 

and the necessary condition is 

9949 < tt{Q! e 1/ I wt{a) e / U J} < 16383. 

References 

[1] R. P. Stanley, "Enumerative Combinatorics, Volumn I, " Cambridge Uni- 
versity Press, 1997. 

[2] N. Li, L. Qu, W. Qi, G. Feng, C. Li and D. Xie, "On the construction 
of Boolean functions with optimal algebraic immunity, " IEEE Trans, on 
Information Theory, vol.54, no.3, pp.1330-1334, MARCH 2008. 

[3] A. Canteaut, "Open problems related to algebraic attacks on stream ci- 
phers," in Proc. WCC 2005, Invited talk, pp.1-10. 

[4] R. M. Wilson, "A diagonal form for the incidence wMrices of t-subsets vs 
k-subsets," Eur. J. Combin., vol. 11, pp. 609-614, 1990. 

[5] C. Carlet, D. K. Dalai, K. C. Gupta, and S. Maitra, Algebraic immunity for 
cryptographically significant Boolean functions: Analysis and construction, 
IEEE Trans. Inf. Theory, vol.52, no.7, pp.3105-3121, Jul.2006. 

[6] F. Armknecht., "Improving fast algebraic attacks", In FSE 2004, vol.3017 of 
Lecture Notes in Computer Science, pp. 65-82, Spring- Verlag, 2004. 

[7] L. Qu, K. Feng, F. Liu, and L. Wang, "Constructing symmetric Boolean 
function with maximum algebraic immunity", IEEE Trans, on Information 
Theory, vol.55, no.5, pp.2406-2412, MAY, 2009. 

[8] D. K. Dalai, S. Maitra, and S. Sarkar, "Basic theory in construction of 
Boolean functions with maximum, possible annihilator immunity," Des. 
Codes, Cryptogr., vol.40, no.l, pp.41-58, 2006. 

[9] N. Courtois, "Fast algebraic attacks on stream ciphers with linear feedback," 
in Advances in Crypltology — CRYPTO 2003 (Lecture Notes in Computer 
Science). Berlin, Germany: Springer- Verlag, 2003, vol. 2729, pp. 176C194. 

[10] R. L. Graham, D. .E. Knuth and O. Patashnik, Concrete Mathematics: A 
Foundation for Computer Science, 2nd Edition, Pearson Education, 1994. 

[11] A. Canteaut and M. Videau, "Symmetric Boolean functions", IEEE Trans, 
on Information Theory, vol.51, no. 8, pp. 2791-2811, Aug., 2005. 

[12] A. Bracken, "Cryptographic Properties of Boolean functions and S-Boxes", 
thesis, Mar., 2006. 



8 



